Windows 8's built-in AV to be security of last resort

Integrated Windows Defender will activate only on PCs sans antivirus software or after other products have expired

Microsoft's Windows 8 will activate its built-in antivirus (AV) software only if it senses that the PC is not protected by another security program, according to AV vendor McAfee.

The new operating system, which last week reached its final public milestone, includes security software, dubbed "Windows Defender," that combines characteristics of both that anti-spyware program of the same name and the free Security Essentials, the antivirus program that until now has been offered as a separate download.

Microsoft first announced Windows Defender last September, and included it with that year's Windows 8 Developer Preview, and this year's Consumer Preview and Release Preview. In all three sneak peeks, Defender was switched on, and served as the operating system's default protection against malware.

But that's not how it will work when new Windows 8 PCs debut later this year.

According to Gary Davis, director of global consumer product marketing for McAfee, Microsoft has given third-party vendors and computer makers first crack at protecting PCs.

Computer makers, known as OEMs (original equipment manufacturers), typically include trial versions of major antivirus programs with their PCs. Those trials offer malware signature updates for limited periods, sometimes as short as 30 days. When the trial expires, PC owners are encouraged to upgrade to the full paying edition, which usually offer signatures for a year at prices ranging from $40 to $90.

Windows 8 cedes the AV role to those pre-installed trials, said Davis, and will not activate Windows Defender if it detects an active antivirus program that's receiving signature updates.

"Looking at the way they're doing things in Windows 8, Microsoft is going to great lengths to let AV vendors keep customers," said Davis in an interview last week.

But Microsoft didn't take the tact to please security companies.

"It is our understanding that this was mostly because of pressures from the OEM community," Davis said in an email replay to follow-up questions. "A large portion of their profits on PCs come from revenue associated with AV."

Computer makers do reap revenue from the pre-installed software, including antivirus tools, that they bundle with their PCs. In the case of AV software, OEMs receive a portion of the money paid to security vendors by customers who upgrade from the trial versions to the full editions.

That practice relies on loading the PC with a range of third-party applications -- not just AV products -- that critics scorn as "crapware" or "bloatware."

Windows 8 will activate Windows Defender automatically only if there is no other antivirus software on the computer, said Davis.

And even when the OS detects that existing AV software hasn't been updated recently, it will only offer Windows Defender as one of several choices.

When the PC stops receiving AV signature updates -- most likely because the trial version has expired -- Windows 8 begins a 15-day countdown. During those 15 days, the Action Center, a desktop component that consolidates important system notifications, will warn the user that the AV software is expired, with information about how to renew coverage.

After the 15 days, the warning will expand the options offered users.

"At the end of 15 days the user has the option to renew what they have, install Windows Defender, select another option from the Microsoft Store or click on a 'remind me later' button, which starts a seven-day notice period," said Davis.

The Microsoft Store is the name of the company's online market, where it sells its own Windows software, including operating system upgrades, as well as some third-party programs. It's not to be confused with the Windows Store, the e-mart accessible only from Windows 8 that is the sole distribution channel for Metro-style apps for that OS and Windows RT.

Currently, the only AV software sold in the Microsoft Store is from Trend Micro, which along with McAfee and Symantec, are the three largest antivirus firms.

Although Windows 8 users will be notified during the 15-day span -- and after that if they take no immediate action -- the protection gap will put those PCs at greater risk of cyber attacks and malware infections.

Not that those computers won't have company: Last week, McAfee cited a year-long study and claimed nearly 20% of U.S. Windows PCs lack any active security protection. More than a third of those machines had expired AV software on their hard drives.

Microsoft's decision to hold off on activating Windows Defender in Windows 8 is in line with its approach to securing older versions of Windows. In late 2010, Microsoft began offering Security Essentials to Windows XP, Vista and Windows 7 PCs via the company's Windows Update service. Since then, Security Essentials has been listed as an optional download from Windows Update only on PCs that lack other working AV software, a category that includes present-but-expired third-party programs.

At the time, Trend Micro called Microsoft's move to use Windows Update to offer the free Security Essentials "unfair," and said it "raises significant questions about unfair competition."

AV vendors have butted heads with Microsoft several times.

In 2006, Symantec and McAfee complained to European Union antitrust regulators about Microsoft's decision to block them from accessing the kernel in the 64-bit version of Vista, and barring them from its new integrated security center. Microsoft bowed to the pressure, and later produced APIs (application programming interfaces) that gave security vendors some access to the kernel and allowed them to mesh their product's on-screen status features with the security center.

Major security companies have also regularly dismissed Security Essentials as a half-baked solution, and argued that their software is much more effective in stymying attacks.

When Microsoft launched Security Essentials in 2009, for example, Symantec's top engineer called it a "poor product" that was a "bunch of little basic tools."

Symantec, and others, continue to use that argument to persuade potential Windows 8 users that they should pay for antivirus software rather than rely on the free Windows Defender. On its website, Symantec uses phrases like "We are the security experts" and "Norton protection includes many layers of security which Windows Defender is missing" to separate its consumer products from the free tool in Windows 8.

Although the Windows 8 Release Candidate activates Windows Defender automatically, Microsoft also has built a page that lists the current third-party AV software that works with the new OS. Most of those programs have limited lifespans of between 30 and 90 days.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place